In my recent article on blocking proxy servers, I explain how to use HTAccess to deny site access to a wide range of proxy servers. The method works great, but some readers want to know how to allow access for specific proxy servers while denying access to as many other proxies as possible.

Fortunately, the solution is as simple as adding a few lines to my original proxy-blocking method. Specifically, we may allow any requests coming from our whitelist of proxy servers by testing Apache’s HTTP_REFERER variable, like so:

Notice the pattern here. Each line matches against the specified proxy server in the referrer variable. Once integrated into the original method, each of the three specified URI’s will be allowed access to your site. Thus, by editing these directives to match the name and number of your whitelisted proxy servers, you can allow access to any list of proxies or other referrers while blocking many of the others.

Integration

To integrate your customized whitelist RewriteConditions with the original proxy-block method, simply place them near the end of the existing conditions, directly above the RewriteRule, like so:

Just slap that bad boy into your server’s httpd.conf file or the HTAccess file of your choice (generally the root HTAccess file), and you’re golden. Note that not all proxies reveal the information targeted in these directives, but many of them continue to do so. Thus, with this code in place, you will enjoy protection against unwanted proxies while allowing open access to the proxy servers or other referring domains of your choice.

Comprehension

Here at Perishable Press, we’re all about understanding how these types of methods actually work. Comprehension is important, especially when it comes to this type of black-magic Apache voodoo. So let’s enjoy a few explanatory spoonfuls, shall we?

As usual, we first check for the required Apache module, which in this case is the inimitable mod_rewrite. Then, after initializing the rewrite engine, the next twelve lines test different variables for any (non-empty) value. These twelve variables are associated with proxy servers and may contain data if present. The [OR] flags appended to the first eleven of the RewriteConditions cumulatively tells Apache something to the effect of “if any of these variables contain any value whatsoever, then invoke the specified RewriteRule”. And this is where the original proxy-blocking directives end. The rewrite is then applied for any matched cases, and the unwanted proxy visits are subsequently denied.

In this updated method, however, we also want to allow our choice of specific proxy servers. So, by appending the previously discussed whitelist directives to the list of RewriteConditions, we are qualifying the first twelve conditions as follows:

if the client is not being sent via this proxy method OR this proxy method OR this proxy method OR this proxy method OR … this proxy method, AND the referrer is not allowed-proxy-01AND the referrer is not allowed-proxy-02AND the referrer is not allowed-proxy-03, then invoke the specified RewriteRule.

And so, if the entire collection of conditions prove true, the specified RewriteRule will be applied and the proxy request will be blocked. Conversely, if the referrer is on the whitelist, they will be granted access — regardless of whether or not any of the previous proxy variables contain values.

Sayanora

That’s it for this fine tutorial. Please let me know if you have any questions, concerns or criticisms regarding this method. Hopefully, the explanation is clear, but if not, please let me know!

Very soon.. the 4G is ready to go, I just need to finish the articles that go along with its release. I have removed the user-agent blacklist and the referrer blacklist and will present them as optional, independent (and extremely beefed up) blacklists along with the 4G. The 4G still contains multiple parts, but user-agents and referrers will not be targeted.

@James: One example that comes readily to mind involves company intranets, where proxy servers are frequently employed throughout the network. This article was written because numerous people were asking how it could be done, and intranet proxies were one of the reasons why it was necessary.

“prislea: is there a way to allow access by IP?”
Thats what I’m asking. If I added something like RewriteCond %{HTTP_REFERER} !(.*)allowed-proxy-01.verizon.tld(.*)
Would cell phone users on Verizon have access?

@James: It’s all in how you specify the rewrite logic. To ensure that the proxy conditions are only matched when the referrer is not Verizon, drop the [OR] flags and use the implicit [AND] flags instead.

Books

Links

About the site

Perishable Press is the work of Jeff Starr, professional developer, designer, author, and publisher with over 10 years of experience. Check out some of Jeff's books and projects, follow on Twitter, or learn more »

Fun fact: Perishable Press has been online since 2005, and now features over 700 articles and more than 11,000 comments. More stats »